Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1693447 - firewalld with Fail2ban and iptables -w intermittent no chain to the time point of execution
Summary: firewalld with Fail2ban and iptables -w intermittent no chain to the time po...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 29
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Eric Garver
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-27 20:45 UTC by RobbieTheK
Modified: 2019-03-27 20:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github fail2ban fail2ban issues 2211 None None None 2019-03-27 20:45:36 UTC

Description RobbieTheK 2019-03-27 20:45:10 UTC
I'm not sure if this should be firewalld, iptables or Fail2ban so I'm starting with firewalld. We see this on multiple Fedora 29 servers and workstations

Using fail2ban-0.10.4-1.fc29.noarch, firewalld-0.6.3-1.fc29.noarch & iptables-1.8.0-3.fc29.x86_64

As noted by sebres in https://github.com/fail2ban/fail2ban/issues/2211#issuecomment-477331597

Something has removed input chain f2b-pam-generic. The check shown with iptables -n -L INPUT | grep -q 'f2b-pam-generic[ \t]' shows there is no chain to the time point of execution.

The pam-generic jail is using iptables-allports and the others are using firewallcmd-ipset. Here are the errors:

2019-03-26 14:16:29,843 fail2ban.filter         [1058]: INFO    [recidive] Found 190.160.106.90 - 2019-03-26 14:16:29
2019-03-26 14:16:29,844 fail2ban.utils          [1058]: #39-Lev. 7f6c1c421030 -- exec: iptables  -n -L INPUT | grep -q 'f2b-pam-generic[ \t]'
2019-03-26 14:16:29,860 fail2ban.utils          [1058]: ERROR   7f6c1c421030 -- returned 1
2019-03-26 14:16:29,860 fail2ban.CommandAction  [1058]: ERROR   Invariant check failed. Trying to restore a sane environment
2019-03-26 14:16:29,871 fail2ban.utils          [1058]: #39-Lev. 7f6c1c410328 -- exec: iptables  -D INPUT -p tcp -j f2b-pam-generic
iptables  -F f2b-pam-generic
iptables  -X f2b-pam-generic
2019-03-26 14:16:29,872 fail2ban.utils          [1058]: ERROR   7f6c1c410328 -- stderr: "iptables v1.8.0 (legacy): Couldn't load target `f2b-pam-generic':No such file or directory"
2019-03-26 14:16:29,872 fail2ban.utils          [1058]: ERROR   7f6c1c410328 -- stderr: ''
2019-03-26 14:16:29,872 fail2ban.utils          [1058]: ERROR   7f6c1c410328 -- stderr: "Try `iptables -h' or 'iptables --help' for more information."
2019-03-26 14:16:29,872 fail2ban.utils          [1058]: ERROR   7f6c1c410328 -- stderr: 'iptables: No chain/target/match by that name.'
2019-03-26 14:16:29,872 fail2ban.utils          [1058]: ERROR   7f6c1c410328 -- stderr: 'iptables: No chain/target/match by that name.'
2019-03-26 14:16:29,872 fail2ban.utils          [1058]: ERROR   7f6c1c410328 -- returned 1
2019-03-26 14:16:29,879 fail2ban.utils          [1058]: #39-Lev. 7f6c1c421030 -- exec: iptables  -n -L INPUT | grep -q 'f2b-pam-generic[ \t]'
2019-03-26 14:16:29,879 fail2ban.utils          [1058]: ERROR   7f6c1c421030 -- returned 1
2019-03-26 14:16:29,879 fail2ban.CommandAction  [1058]: CRITICAL Unable to restore environment
2019-03-26 14:16:29,879 fail2ban.actions        [1058]: ERROR   Failed to execute ban jail 'pam-generic' action 'iptables-allports' info 'ActionInfo({'ip': '190.160.106.90', 'family': 'inet4', 'fid': <functi
on Actions.ActionInfo.<lambda> at 0x7f6c1fcd12f0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f6c1fcd1840

Could this be some conflict with iptables and firewalld and perhaps iptables -w (wait as in https://utcc.utoronto.ca/~cks/space/blog/linux/IptablesWOptionFumbles) not being supported?
iptables -w
iptables v1.8.0 (legacy): no command specified
Try `iptables -h' or 'iptables --help' for more information.


Note You need to log in before you can comment on or make changes to this bug.